logo

Adopting Network Policies in Highly Secure Environments

2023-04-19

Authors:   Raymond de Jong


Summary

The presentation discusses how to achieve network security and observability using Celium and eBPF features.
  • Use Celium and eBPF features to achieve network security and observability
  • Prioritize on the number of servers exposed through Ingress or Gateway API
  • Focus on services reachable within the cluster across namespaces and services with access to external resources such as egress
  • Start with an initial namespace policy and use global policies across the platform or even across clusters using cluster-wide network policies to define the guardrails
  • Transition from per-namespace security with global policies as guardrails to more fine-grained policies
  • Use CI/CD pipeline tools like Argo Flux and Github pipelines to manage network policies at scale
  • Automatically check for CIDR blocks which are not approved to be allowed to access using a policy
  • Unlock features in networking security and observability using eBPF
The presenter demonstrated how to use Hubble UI and Celium network policies to learn what FQDNs a workload is reaching out to on the internet and create a fine-grained network policy based on that information.

Abstract

In the world of distributed computing, everything goes over the network, but not everything should be public. Unfortunately, Kubernetes networking is open by default and it is up to you to adopt network policies to secure it. Using our knowledge of implementing network policies in complex regulated environments, we will introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security. With these building blocks in place, we will compare a default-allow with a default-deny policy and how a risk-based approach helps you focus on securing the most sensitive workloads first. We will then discuss various exposure types and strategies for securing your workloads. Applying this theoretical knowledge to the real world, we will explore how observability tools Cilium, Hubble, and Grafana provide you with Network Policy superpowers, like showing how ingress and egress connections are visualized, enabling you to configure the Network Policies using the Network Policy editor. Finally, we will discuss how Network Policy Guardrails allow for keeping control while granting teams self-service management of Network Policies. The audience will learn how to secure their network effectively and efficiently, even for highly sensitive workloads.

Materials: